Proof-of-concept: unauthenticated access to NFT-gated content via the /verify endpoint. Videos are proxied through a local server that adds the required Referer header.
POST https://nucast.herokuapp.com/verify
Content-Type: application/json
{"policy": "<from public movies table>", "content_id": "<movie_id>"}
Response (NO auth required):
{"480p":{"url":"https://sia.nucast.io/xxx.mp4?token=..."},
"1080p":{"url":"https://sia.nucast.io/yyy.mp4?token=..."},
"4k":{"url":"https://sia.nucast.io/zzz.mp4?token=..."}}
Both policy and content_id are publicly readable from the Supabase movies table using the anon key embedded in bundle.js. The endpoint generates time-limited signed URLs (~1hr) but performs zero ownership verification.